CloudFlare, a security service for web servers, was shutdown for an hour due to a DDoS attack. The DDoS was targeted to one of the servers CloudFlare protects and when the security service attempted to do their job, the DDoS shut them down as well. The attacker sent packets through the servers that were nearly 100,000 bytes long which is far beyond the 500-byte average and almost 4,500-byte maximum allowed by CloudFlare. This was an exploit of a weakness in "Juniper routers running the Flowspec protocol" where the routers tried to read these massive packets instead of dropping them due to their size. This weakness is being addressed by Juniper Networks. CloudFlare will be issuing service credits to their affected customers which will certainly impact the company financially.
Analysis:
The key in this attack was the weakness from Juniper Networks. The Flowspec protocol apparently passed insufficient filtering rules to its routers. This weakness was patched into Juniper's routers in October 2012. This weakness gave the routers the protocol to try to read every packet instead of doing preliminary analysis on the packet before attempting to read it. Had the security protocol analyzed the size of the packet prior to attempting to read it, the packet would have been found to far exceed the average or maximum packet sizes and been dropped. This also shows the pitfall of a "weakest link" security failure due to ignoring a defense-in-depth approach. Since all the attacker had to do was flood CloudFlare's servers with massive unreadable packets that consumed the servers full processing power to the point of failure, a denial of service attack was quick and easy. The simple packet analysis would have precluded this problem and prevented the loss CloudFlare is forced to sustain through the service credits it has issued to customers.
CloudFlare, a security service for web servers, was shutdown for an hour due to a DDoS attack. The DDoS was targeted to one of the servers CloudFlare protects and when the security service attempted to do their job, the DDoS shut them down as well. The attacker sent packets through the servers that were nearly 100,000 bytes long which is far beyond the 500-byte average and almost 4,500-byte maximum allowed by CloudFlare. This was an exploit of a weakness in "Juniper routers running the Flowspec protocol" where the routers tried to read these massive packets instead of dropping them due to their size. This weakness is being addressed by Juniper Networks. CloudFlare will be issuing service credits to their affected customers which will certainly impact the company financially.
Analysis:
The key in this attack was the weakness from Juniper Networks. The Flowspec protocol apparently passed insufficient filtering rules to its routers. This weakness was patched into Juniper's routers in October 2012. This weakness gave the routers the protocol to try to read every packet instead of doing preliminary analysis on the packet before attempting to read it. Had the security protocol analyzed the size of the packet prior to attempting to read it, the packet would have been found to far exceed the average or maximum packet sizes and been dropped. This also shows the pitfall of a "weakest link" security failure due to ignoring a defense-in-depth approach. Since all the attacker had to do was flood CloudFlare's servers with massive unreadable packets that consumed the servers full processing power to the point of failure, a denial of service attack was quick and easy. The simple packet analysis would have precluded this problem and prevented the loss CloudFlare is forced to sustain through the service credits it has issued to customers.